- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to edit inputs.conf to monitor logs on Windows...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To monitor a file on Windows machine with names like :
access.2016_09_23_00_00_00
I wrote the following stanza in inputs.conf
[monitor:///D:/Program Files/Tableau/Tableau Server/data/tabsvc/logs/httpd/access*]
blacklist = \.(gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access
But i am getting a error :
error getting attributes of path "D:/Program Files/Tableau/Tableau Server/data/tabsvc/logs/httpd/access*": The filename, directory name, or volume label syntax is incorrect.
How to resolve this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to use backslashes (the Windows way basically):
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\access*]
blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access
You should also escape the dot from your blacklist.
See this
EDIT (include longer answer from comments);
Have you tried any of the following two approaches?
# Use a dot before the wildcard
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\access.*]
blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access
# Regex to the rescue.
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\]
whitelist = access\.[\d\_]+$
# I don't think you need the blacklist anymore
# blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access
Or alternatively and just to test:
# Use full name. Not exactly what you need but worth trying
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\access.2016_09_23_00_00_00]
blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access
Do you still get the same error when using any of the above?
Thanks,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to use backslashes (the Windows way basically):
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\access*]
blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access
You should also escape the dot from your blacklist.
See this
EDIT (include longer answer from comments);
Have you tried any of the following two approaches?
# Use a dot before the wildcard
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\access.*]
blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access
# Regex to the rescue.
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\]
whitelist = access\.[\d\_]+$
# I don't think you need the blacklist anymore
# blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access
Or alternatively and just to test:
# Use full name. Not exactly what you need but worth trying
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\access.2016_09_23_00_00_00]
blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access
Do you still get the same error when using any of the above?
Thanks,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is not with slashes. All my other logs are getting monitored perfectly fine.
Only this one, where I have used wild card, is not getting monitored.
Windows seem to have a problem with *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you getting the same error message when you use the latest config I wrote above?
I can't see anything wrong with the wildcard and I've used it before on Windows but just in case, have you tried any of the following two approaches?
# Use a dot before the wildcard
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\access.*]
blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access
# Regex to the rescue.
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\]
whitelist = access\.[\d\_]+$
# I don't think you need the blacklist anymore
# blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access
Or alternatively and just to test:
# Use full name. Not exactly what you need but worth trying
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\access.2016_09_23_00_00_00]
blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access
Do you still get the same error when using any of the above?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd]
whitelist = access.[\d_]+$
# I don't think you need the blacklist anymore
# blacklist = .(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access
This worked.
Thanks ..!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tried backslashes as well. But of no help.
the problem is with *.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My bad, I added 3 slashes after monitor and there should only be 2.
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\access*]
blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
